DevOps · Flashcard

What is the point of using OIDC to authenticate to a cloud provider?

  • AExchange a short-lived OIDC token for cloud credentials at runtime, so no long-lived keys are stored
  • BStore the cloud provider access key and secret in encrypted repository secrets, read in at runtime
  • CInstall the cloud CLI on a self-hosted runner already authenticated through its own instance profile
  • DEmbed a long-lived service-account token in the workflow file, scoped down to the deployment role

Why this is the answer

OIDC exchanges a short-lived token for cloud credentials per run, so no static keys are stored — storing an access key in secrets is the approach OIDC replaces, an instance profile ties you to self-hosted infra, and embedding a token in the workflow is hardcoding a secret.

Official docs
Study in Gnoseed →